Technology Partners

Container technology has been instrumental in the transformation of application development and deployment, and Docker has held the pole position. The reasons include Docker’s ease of installation and use, and its ability to automate common tasks so developers can focus on what matters: building great software. Overall Docker adoption has surged 35% within the last 12 months which is a clear indication that developers see its value and significance. Container technology is very agile. It’s ingrained in the DevOps pipeline and woven into various cloud architectures. However, this technology does create a cause for concern for both developers and security practitioners alike, as it presents yet another platform to secure and protect. Adopting emerging technologies often make security an afterthought, and the modern use of containerization makes no exception.

Protect the host, protect the deployment

There are many moving parts that make up the Docker platform, but in this blog, I’ll focus on the Docker Host and the importance of keeping it protected. Within the Docker Host exist three primary components: the Docker daemon, containers and images. The Docker daemon is a service that runs on the host OS and manages both the containers and images. It looks out for API requests from Docker and also acts as the communication layer to manage other services within Docker (see Figure 1). Most companies have defined roles within the organization that provide wide-ranging levels of access to the Docker Host for a variety of usages (e.g. managing containers, creating new images and getting real-time events from the server).

Figure 1. Docker’s client-server architecture

Now, there are more than 50 commands that can run within the Docker command-line interface. Among them include the building images from a Dockerfile (docker build), the creation of a new container (docker create), and the ability to terminate one or more running containers (docker kill). Why is this important? Well, would you want every developer, DevOps or IT operations team member within your organization to have the ability to execute some of these potentially risky commands in your container environment? Probably not. Furthermore, there’s a significant privileged escalation risk that lies at the container level. If a user were able to compromise a root account, they’d have the potential to elevate privileges to gain access to the Docker Host which can be the first step prior to rolling out a full-fledged attack that could put all of the containers at risk.

A few best practices

By implementing the principle of least privilege as well as incorporating separation of duties (SoD) controls, you can protect your modern Docker infrastructure without negatively impacting business efficiency or increasing operational costs. With the introduction of the principle of least privilege, you’re reducing the overall need for root accounts for many different use cases, which in turn, improves your organization’s security posture. Take it one step further by installing CyberArk On-Demand Privileges Manager on every Docker Host. A set of role-based permissions can be established which will run only the minimum commands required to perform the necessary tasks that each user’s job function requires – and nothing more (see Figure 2).

Figure 2. Set policies to limit the actions of privileged users on Docker Hosts

These predefined commands can be set for use by specific groups or personas such as Docker Dev, Docker Ops and Docker Security. The policies can be defined via white-listing or black-listing to provide maximum flexibility in achieving your organization’s desired restriction level. All of the elevated commands can then be audited and monitored allowing security and auditing teams to gain full visibility into your organization’s activity. What if you need to allow root user access to the Docker Host in specific scenarios? It’s a best practice to first centrally manage the root credentials and then introduce an isolation layer between root users and the Docker Host to prevent credential hijacking. You can implement approval workflows and apply further restrictions on the root user’s activities as needed.

Tracking what a root or other power user is doing once they’ve opened a privileged session to the Docker Host is critically important. CyberArk can secure all of this access, record and log all of the activity that occurs, as well as alert on potential threats to your Docker Hosts. Moreover, with CyberArk Conjur you no longer have to guess what’s happening within your Docker Host and containers. Even with many containers being brought up and down in ephemeral environments, you can gain full control and audit over which secrets each container or application can access. Based on an enterprise policy, every container/host/application is allowed access only to authorized resources, using its own machine identity. Every access is audited, and you can see the Docker role groups fall under compliance. Additionally, you can see all of your Docker users connected live to the Docker Host, so your organization never has to go blind into containerization again.

These are just a few examples of how CyberArk solutions will bolster your container platform security. Arm your security team. Empower your developers. Find out more by contacting a CyberArk expert for a full product and solution demo.

As organizations increasingly work to leverage cloud based infrastructure, we see increased attacks and exploits of the vulnerabilities in cloud-based infrastructure. Vulnerable privileged accounts for cloud- based infrastructure all too often make these attacks particularly damaging. Consider, for example, the recent actions of determined hackers against FlexiSpy.

Organizations recognize that protecting their cloud assets is a responsibility they share with their cloud vendors. As organizations work to secure their applications and other sensitive assets in the cloud, they want the same robust security capabilities they’ve had in their on-premises environments. And they want a solution from a leading vendor that they trust to protect their keys to the IT kingdom.

With the dynamic nature and fast pace of cloud deployments and innovation, security, IT and DevOps leaders not only want the most secure, scalable and comprehensive privileged account security solution, but also the convenience and flexibility of rapid deployment into their cloud environments. They basically want robust security for the cloud now!

Deploying CyberArk in as Little as 15 Minutes

Using the new CyberArk cloud automation capabilities, organizations can, in as little as 15 minutes, automatically deploy and establish a complete CyberArk Privileged Account Security solution in their AWS environment. The CyberArk solution established by the automation tools includes the CyberArk Enterprise Password Vault®, CyberArk Privileged Session Manager®, CyberArk SSH Key Manager™ and a disaster recovery (DR) vault. With these new cloud automation capabilities, organizations are able to quickly have CyberArk solutions available, running on AWS, and ready for administrators to start securing the cloud assets.

The CyberArk solution runs on AWS and is designed to provide the same unparalleled, robust security and protection for privileged account and credentials that CyberArk offers with on-premises deployments – in fact it’s the same proven solution, just automated for deployment on AWS.

Leveraging AWS Best Practices

The cloud automation capabilities include CyberArk AMIs (Amazon Machine Images) and take advantage of AWS CloudFormation templates to automate the deployment of CyberArk solutions. CloudFormation is designed to give developers and systems administrators an easy way to create, manage and provision a collection of related AWS resources.

Importantly, the CyberArk architecture leverages AWS privileged account security best practices, including separate AWS Availability Zones for the primary and DR vaults. It is designed to ensure that the vaults are both independent from each other and also independent from the cloud assets secured.

Of course there are important prerequisites. First, you will need a valid CyberArk license and an AWS account. You will also need to set up the pre-configured AWS environment to prepare for the automated deployment of the CyberArk solution. This includes AWS VPCs (Virtual Private Clouds), private and public subnets, and Security Groups. Fortunately, to make it easier, an additional CloudFormation template is available from CyberArk to automate the set up and configuration of the AWS environment.

Other Cloud Solutions

We’re excited to offer these new cloud automation capabilities to facilitate deployments of CyberArk solutions for cloud customers. These new capabilities are in addition to our other security capabilities designed specifically for AWS, which include an integration with Amazon Inspector and CyberArk DNA to simplify discovery and prioritization of privileged account risk, enhanced AWS Access Key protection, and an integration with the AWS Security Token Service to allow secure single sign-on to the AWS Management Console. CyberArk also supports and works with other leading cloud vendors.

If you plan to attend the CyberArk Impact 2017 customer event in Italy later this month, you can learn more in the session lead by a Senior Solution Architect from AWS. Additional information about how to use CyberArk to secure privileged accounts and credentials in AWS is also available on our website.

Identities and their credentials are considered to be a major vulnerability. It’s been well documented, that nearly all advanced attacks investigated involved stolen credentials, and whenever possible, attackers go after privileged credentials. So it comes as no surprise that companies seek to reinforce new identity perimeters by extending their IAM solution visibility and control to privileged users, applications and access entitlements.

As part of the C³ Alliance, leading Identity and Access Management (IAM) solution providers have integrated their solutions with CyberArk Privileged Account Security to give mutual customers unified identity and access governance solutions for all identity types – privileged and non-privileged users and applications.

With the joint solution in place, companies can fully manage privileged users and application entitlements lifecycles through their IAM solution. They can effectively create, review and approve privileged user access permissions based upon group affiliations, roles and other commonalities directly from the IAM solution. What’s more, all privileged access requests are verified using an automated approval workflow.

To address common risks and challenges, companies can update user or group access privileges directly from the IAM solution to avoid orphan privileged accounts, privileged entitlement creep and excessive privileged permissions. Consider this scenario, an Oracle Database Administrator, who is a privileged user, is also granted access to MS-Windows domain accounts while retaining previous access privileges to root accounts. This dual access may constitute a Segregation-of-Duties (SoD) violation, which can result in more than a failed audit. Leveraging the CyberArk integrated solution, the IAM system will be able to alert on SoD violations, so that user access permissions can be updated. Performing periodic reviews and re-certification of privileged access directly from IAM is also possible.

To effectively manage all privileged identities, accounts used by commercial-of-the-shelf (COTS) applications and custom/in-house applications must also be considered. Many organizations often overlook the fact that these applications are also granted administrative privileges to access many assets on the network. Whether it’s a financial management application, inventory discovery software or a vulnerability and compliance management solution, they are all granted administrative privileges by the organization to access sensitive assets on the network.

For example, in order for a vulnerability assessment tool to execute an authenticated scan, a domain admin account or a service account credential is used to access the file system on the target machine. Therefore, IAM solutions should also provide users with visibility and control of access permissions for applications. Defining application access permissions and the ability to manage these accounts automatically is key, as well as enforcing any permission changes to ensure the application can only access authorized assets.

To learn more about CyberArk partnerships with leading IAM vendors, click here

Reviewing recent breaches, we consistently see the same attack patterns. Simply put, attackers crash through the perimeter, compromise a credential and then use the acquired access to move laterally throughout the network. They escalate privileges until they complete their goal. Whether the mission is to steal data, disrupt operations or destroy infrastructure, attackers tenaciously pursue their goals, using a wide variety of tools and tactics.

Ideally, organizations will break the attack lifecycle early in the cycle. In April 2016, CyberArk launched the C3 Alliance – CyberArk’s global technology partner program, to help organizations better address security challenges and to stop the most advanced cyber threats – those involving privileged accounts. By incorporating CyberArk’s privileged account security best practices, as well as leveraging CyberArk privileged account data within a rich partner ecosystem, mutual customers can maximize their existing security and IT investments to enhance their overall security posture.

For example, CyberArk integrates with leading SIEM solutions to leverage CyberArk privileged account activity data and to deliver more valuable insights about advanced threats to customers. Privileged activity alerts from CyberArk Privileged Threat Analytics are sent to the SIEM solutions, and the alerts can then be correlated with other real-time data collected from the organization, so that the most critical security threats can be identified. With these integrated solutions in place, organizations can leverage enhanced detection capabilities to break the attack lifecycle as early as possible.

Here are two scenarios to demonstrate the advantages of the integrated solutions:

An Unmanaged Privileged Account – CyberArk Privileged Threat Analytics integrated with a SIEM solution can detect a privileged account (user or application) that is used in the environment, and flag it if it is not managed in the vault.

By correlating login activity made by privileged accounts received from the SIEM solution with CyberArk Digital Vault data, CyberArk Privileged Threat Analytics verifies if the account is managed by the CyberArk Solution and if not, sends the alert to the SIEM solution. These unmanaged accounts may pose a risk to the customer, as they can be accessed in an uncontrolled way. As a best practice, all privileged accounts should be managed in the CyberArk Solution, especially active accounts in use.

Suspected Credential Theft – An attacker compromises a machine and steals privileged credentials using hash harvesting to execute a Pass-the-Hash attack. Once obtaining privileged access, s/he tries to access a different sensitive machine. The SIEM solution, in this case, sends all login activities to CyberArk Privileged Threat Analytics. CyberArk Privileged Threat Analytics correlates the logs from both resources, trying to find a match between a login to an endpoint and a prior password retrieval from the CyberArk Solution. When CyberArk Privileged Threat Analytics detects that a user is connected to a machine with a privileged account without first retrieving the credential from the CyberArk Digital Vault, the solution can prompt an immediate credential rotation and send an alert to the SIEM that there is a suspected credential theft.

Keep in mind, attackers will act inside a network undetected for an average of 146 days. If an organization is able to detect privileged misuse quickly, the time exposed can be significantly reduced, resulting in a corresponding reduction in damage to the business.

To learn more about how CyberArk works with leading SIEM vendors, click here or watch a short video of one of our C3 Alliance members talking about market trends and the advantages of technology integration with Cyberark.

Join us on Tuesday, May 24, 2016 for a webinar with FireEye. The webinar will focus on how attackers find their way into the heart of enterprises, the role privileged credentials (passwords and SSH keys) play in an active cyber attack, and how the integration of the CyberArk Privileged Account Security Solution and the FireEye Threat Analytics Platform (TAP) can help organizations detect, alert and rapidly respond to cyber attacks.

The C3 Alliance Global Technology Partner Program brings together key enterprise and security software companies to deliver integrated, tested solutions to better protect our shared customers, making it easier to extend the power of privileged account security across an organization and enhance the overall security posture.

With the launch of the C3 Alliance, it’s a perfect time to learn more about how CyberArk works with partners to integrate technology with CyberArk’s Privileged Account Security Solution. Edward Nunez, an alliances technology expert on CyberArk’s Business Development team, knows this process well, so we asked him a few questions to better understand what’s involved.

How does CyberArk work with its partners to integrate technology?

Through the C3 Alliance, we work with partners to integrate a wide range of security products with the CyberArk Privileged Account Security solution. We provide access to CyberArk resources and expertise. This includes the tools, training resources, documentation and cloud-based environments they need to develop, test and enhance their offerings. We offer advice on best practices to ensure that the integration is developed with the highest security standards in mind. Not only do we provide our partners with the tools and resources needed to succeed, but we also provide support. For example, if they face challenges or need to troubleshoot any issues, we are there to help – whether it be to provide guidance directly or to identify internal resources that can address the problem.

Can you talk about the development phase? What’s typically involved?

We work closely with our partners – from the initial design phase through testing and certification – to ensure that the integrated technologies meet the requirements of our mutual customers and provide value-added solutions. We kick off the development process with an initial design phase, which involves a discussion with our partner on the planned architecture, integration details, etc. We then establish a regular review process to ensure the partner is fully supported along each step of the way. At the end of the development phase, we hold an in-depth demonstration and working session with our partner and our product managers for a quality assurance review and certification.

Do you have any advice to offer companies that want to join the C3 Alliance?

Yes, consider the role privileged account security plays in the incident response field and the different venues for integration offered by CyberArk. The options range from gaining access to detailed privileged activity data/alerts to securing and managing credentials via CyberArk.

Partners should also align with requests and feedback from the field to validate priorities. There are use cases where mutual customers have requested specific integrations to ensure access to credentials is secure. Some partners may start with securing and managing credentials for specific solutions and expand use cases from there. Considering the possibilities and feedback from the field is helpful as we brainstorm on the different use cases for integration with our partners.

C3 Alliance members represent enterprise software, infrastructure and security solutions, including security information and event management (SIEM), identity and access governance, asset and vulnerability discovery, security management and authentication services that benefit from tighter integration with CyberArk for securing privileged accounts and using privileged data to detect and respond to threats.

We encourage companies interested in joining the C3 Alliance to contact us at [email protected] to start exploring ideas and possible use cases for integration.